Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 1st week of March 2018

New Detection Technique – FlawedAmmyy

In February 2018, Proofpoint researchers analyzed a massive email campaign containing a zipped .url attachment, sent by the threat actor they refer to as TA505. TA505 has also been involved in Dridex and Locky campaigns. The subject of the emails matches the pattern 'Receipt No xxxxxxxx,' where 'x' represents random digits, and the word 'Receipt' could also be 'Bill' or 'Invoice.'

The emails deliver malware dubbed 'FlawedAmmy,' which has been in use since 2016.

After downloading and executing the shared .url files (processed by Windows as links to internet sites), a JavaScript file is downloaded. This script is directly executed over SMB, instead of using a web browser. Next, it downloads a tool called Quant Loader, which fetches the FlawedAmmyy RAT as the final payload. The use of '.url' files and JavaScript over SMB is unusual, and this is the first time that these methods have been seen together.

We've added IDS signatures and the following correlation rule to detect this activity:

System Compromise, Malware RAT, Win32/FlawedAmmyy

New Detection Technique – TSCookie

TSCookie malware has appeared in several targeted attacks since 2015. TSCookie is commonly spread by email, and has recently been observed in fake messages from the Ministry of Education and Sports in Japan.

TSCookie serves as a downloader. It communicates with C&C servers using HTTP and downloads a module and its loader. The malware contains an encrypted DLL that is loaded on memory. The DLL performs core functions such as communicating with C&C servers in an RC4 encrypted channel.

TSCookieRAT is the final malware downloaded and executed on a TSCookie infection. It can perform actions such as executing arbitrary shell commands, sending system information, and retrieving browser passwords. All communications are performed over HTTP, and encrypted separately.

We've added IDS signatures and the following correlation rule to detect this activity:

System Compromise, Trojan infection, TScookie

New Detection Techniques – Mobile Trojan Infection

We've updated the following correlation rules as a result of additional recent malicious activity:

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

The malicious emails contained a single RTF file, which carries three different exploits in form of .exe files and OLE objects. The vulnerabilities exploited are CVE 2017-8759, CVE 2017-11882, and CVE 2017-0199. These vulnerabilities affect several Microsoft Windows products, such as .NET framework and Office suites. If any of the exploits successfully execute, the system is infected with AzorUlt version 2.

AzorUlt is a trojan horse with spy and C&C capabilities. It can perform actions such as stealing passwords from web browsers and email inboxes, collect wallet.dat files from popular bitcoin clients, and gather other sensitive information like the Skype message history, list of installed programs, file extensions, etc. Applying the proper patches to the affected Windows modules is enough to prevent AZORult from infecting the machine in this campaign.

We've added IDS signatures and the following correlation rule to detect this activity:

System Compromise, Trojan infection, AZORult

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity: